{
	"id": "03537439-9eb3-46f6-8d2a-d8f46d331afa",
	"created_at": "2026-04-06T01:30:37.802001Z",
	"updated_at": "2026-04-10T13:11:48.734479Z",
	"deleted_at": null,
	"sha1_hash": "145b45fdb6907f29ceb32e4ae46b6369db2b075a",
	"title": "UltimaSMS: A widespread premium SMS scam on the Google Play Store",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63773,
	"plain_text": "UltimaSMS: A widespread premium SMS scam on the Google Play\r\nStore\r\nBy Jakub Vávra 25 Oct 2021\r\nArchived: 2026-04-06 01:21:13 UTC\r\nA fake photo editor, camera filter, games and other apps promoted via Instagram and TikTok channels\r\nLast week, I reported 80 apps belonging to a premium SMS scam campaign, which signs victims up for expensive\r\npremium SMS services that earn a bad actor or actors money while ultimately leaving victims completely empty-handed, to Google’s Security Team. This led to their swift removal from the Google Play Store. The apps that I\r\ndiscovered are part of the UltimaSMS campaign, consisting of 151 apps that at one point or another had been\r\navailable for download on the Google Play Store. These apps have been downloaded more than 10.5 million\r\ntimes, and are nearly identical in structure and functionality; essentially copies of the same fake app used to spread\r\nthe premium SMS scam campaign. This leads me to believe that one bad actor or group is behind the entire\r\ncampaign. I have dubbed the campaign “UltimaSMS”, because one of the first apps I discovered was called\r\nUltima Keyboard 3D Pro. \r\nThe fake apps I found feature a wide range of categories such as custom keyboards, QR code scanners, video and\r\nphoto editors, spam call blockers, camera filters, and games, among others. UltimaSMS appears to be a global\r\ncampaign, as according to insights from Sensor Tower, a mobile apps marketing intelligence and insights\r\ncompany, the apps have been downloaded by users from over 80 countries. The apps have been most downloaded\r\nby users in the Middle East, such as Egypt, Saudi Arabia, Pakistan, followed by users in the US and Poland. Avast\r\nhas traced the earliest UltimaSMS samples to May 2021 and new samples from the campaign were released earlier\r\nthis month, meaning that the scam is still ongoing.\r\nThe above table shows the top 10 countries where the apps have been downloaded,\r\naccording to Sensor Tower\r\nhttps://blog.avast.com/premium-sms-scam-apps-on-play-store-avast\r\nPage 1 of 6\n\nHow UltimaSMS scams users\r\nWhen a user installs one of the apps, the app checks their location, International Mobile Equipment Identity\r\n(IMEI), and phone number to determine which country area code and language to use for the scam. Once the user\r\nopens the app, a screen, localized in the language their device is set to, prompts them to enter their phone number,\r\nand in some cases, email address to gain access to the app’s advertised purpose. \r\n     \r\nSome of the many prompts that users can encounter upon opening the apps. They differ based on the country and\r\nare localized. Not all of them include fine print warning users’ of the potential charges.\r\nUpon entering the requested details, the user is subscribed to premium SMS services that can charge upwards of\r\n$40 per month depending on the country and mobile carrier. Instead of unlocking the apps’ advertised features,\r\nwhich users might assume should happen, the apps will either display further SMS subscriptions options or stop\r\nworking altogether. The sole purpose of the fake apps is to deceive users into signing up for premium SMS\r\nsubscriptions. While some of the apps include fine print describing this to users, not all of them do, meaning many\r\npeople who submitted their phone numbers into the apps might not even realize the extra charges to their phone\r\nbill are connected to the apps.\r\nhttps://blog.avast.com/premium-sms-scam-apps-on-play-store-avast\r\nPage 2 of 6\n\nAfter entering a phone number and/or email address, the apps will continue to display further SMS subscriptions\r\nor stop working altogether\r\nOnce subscribed, the premium SMS are charged weekly and, from what I can tell, appear to be the maximum\r\npossible amount that can be charged in the country the user is from. Many countries limit the amount of premium\r\nSMS charges that can occur within a week. The user may be notified by their carrier of the excessive charges, but\r\nthey could also go unnoticed for weeks or months. Affected users may dismiss the apps as nonfunctional and\r\nuninstall them, however, the SMS charges will continue and could amount up to an unpleasant sum.\r\nUltimaSMS on the Play Store\r\nThe apps discovered are essentially identical in structure, meaning the same base app structure is repurposed\r\nnumerous times. These copies are disguised as genuine apps through well constructed app profiles on the Play\r\nStore. The profiles feature catchy photos and enticing app descriptions alongside often high review averages.\r\nHowever, upon closer inspection, they have generic privacy policy statements and feature basic developer profiles\r\nincluding generic email addresses. They also tend to have numerous negative reviews from users that correctly\r\nidentified the apps as scams or have fallen for the scam.\r\nhttps://blog.avast.com/premium-sms-scam-apps-on-play-store-avast\r\nPage 3 of 6\n\nUsers often correctly recognize the scam apps in reviews\r\nUltimaSMS has been propagated through advertising channels on popular social media sites such as Facebook,\r\nInstagram and TikTok, as seen with other recent scams and cases of adware. There are numerous catchy video\r\nadvertisements targeting users on these social media platforms. It speaks to the size and impact of this particular\r\nstrain of scam apps, as the malicious actors are spending funds to boost downloads. Premium SMS scams are\r\nincreasingly prevalent as evidenced by Zimperium’s reporting of GriftHorse, for example. In fact, these types of\r\nscams are not new at all, they appear to just be making a comeback. Years ago there were malware families that\r\nwould secretly use dial-up modems to dial-up premium services, racking up thousands of dollars in charges.\r\nhttps://blog.avast.com/premium-sms-scam-apps-on-play-store-avast\r\nPage 4 of 6\n\nAdvert shown on Facebook for the Projector HD/AR Video Editor app\r\nHow to avoid UltimaSMS and similar scams\r\nRemain vigilant when downloading new apps, especially apps advertised in short and catchy\r\nvideos. Children may be particularly vulnerable to this type of scam.\r\nDisable premium SMS option with your carrier. While there are legitimate uses for premium\r\nSMS, such as donating to charities, it is an easy avenue for malicious actors to abuse. Disabling this\r\noption will nullify the UltimaSMS scam. Based on some of the user accounts that left negative\r\nreviews, it looks like children are among the victims, making this step especially important on\r\nchildren’s phones, as they may be more susceptible to this type of scam.\r\nCarefully check reviews. Scam apps often have boosted review averages, but written reviews may\r\nreveal the true purpose of an app. Checking the developer’s history and profile may also be useful.\r\nDon’t enter a phone number unless you trust the app. Being careful with personal details,\r\nincluding phone number and email, goes a long way to avoiding similar scams.\r\nRead the fine print before entering details. Legitimate apps will have Terms of Service and a\r\nPrivacy policy alongside a statement of how they intend to use your data and entered details.\r\nBe cautious when you find more than one app with the same name. Malicious apps can\r\nsometimes use the name and image of existing real and safe apps. In this scenario, a malicious app\r\nwas found to be masquerading as Truecaller, a caller ID and spam blocking app by True Software\r\nScandinavia AB used by over 290 million people.\r\nStick to official app stores when downloading apps. Although these apps were available on the\r\nGoogle Play Store, they have been removed by Google’s security team, but they are still available\r\nfor download elsewhere on the internet. \r\nhttps://blog.avast.com/premium-sms-scam-apps-on-play-store-avast\r\nPage 5 of 6\n\nTo explore the list of UltimaSMS IOCs, check out the dedicated page on GitHub.\r\nSource: https://blog.avast.com/premium-sms-scam-apps-on-play-store-avast\r\nhttps://blog.avast.com/premium-sms-scam-apps-on-play-store-avast\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.avast.com/premium-sms-scam-apps-on-play-store-avast"
	],
	"report_names": [
		"premium-sms-scam-apps-on-play-store-avast"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439037,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/145b45fdb6907f29ceb32e4ae46b6369db2b075a.pdf",
		"text": "https://archive.orkl.eu/145b45fdb6907f29ceb32e4ae46b6369db2b075a.txt",
		"img": "https://archive.orkl.eu/145b45fdb6907f29ceb32e4ae46b6369db2b075a.jpg"
	}
}